#KeIGF15 Online Discussions Day Two: Cyber Security and Trust
Dear Listers, Kenya has had its fair share of high profile cyber threats, hacking etc, the latest being the alleged compromise of the IFMIS system at NYS/Ministry of Devolution. The country and Africa at large is making efforts to assure cyber-security. These include among others her involvement in the Africa Union Convention on Cybercrime and a proposal for a Cybercrime law, an initiative led by the Office of the Director of Public Prosecutions. Significant financial resources have also been earmarked by government for security and cyber security in particular. There are also partnerships between government and private sector in deploying cybersecurity centres. The private sector has employed practical measures to protect their businesses. However, businesses such as mobile money providers and banks have been shy to divulge their cyber security concerns to protect their interests. Civil society on the other hand has raised concern about the line between protecting the cyber space and creating a facilitative environment for innovators as well as protecting the rights of users. Are our efforts at deterring cyber-crime the correct way to assure cyber security? Are fears about a partnership between government and private sector and the general fears about stifling innovation and human rights in the name of cybersecurity legitimate? Are there other practical approaches that different stakeholders can take to enhance cyber security? Over to you. -- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu <http://www.diplointernetgovernance.org/profile/GraceMutungu>
Hello all, I think most of our security concerns stem from internal users and this is the reason many banks and telecos refuse to part with this information, i could be wrong though On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks < skunkworks@lists.my.co.ke> wrote:
Dear Listers,
Kenya has had its fair share of high profile cyber threats, hacking etc, the latest being the alleged compromise of the IFMIS system at NYS/Ministry of Devolution. The country and Africa at large is making efforts to assure cyber-security. These include among others her involvement in the Africa Union Convention on Cybercrime and a proposal for a Cybercrime law, an initiative led by the Office of the Director of Public Prosecutions. Significant financial resources have also been earmarked by government for security and cyber security in particular. There are also partnerships between government and private sector in deploying cybersecurity centres.
The private sector has employed practical measures to protect their businesses. However, businesses such as mobile money providers and banks have been shy to divulge their cyber security concerns to protect their interests.
Civil society on the other hand has raised concern about the line between protecting the cyber space and creating a facilitative environment for innovators as well as protecting the rights of users.
Are our efforts at deterring cyber-crime the correct way to assure cyber security? Are fears about a partnership between government and private sector and the general fears about stifling innovation and human rights in the name of cybersecurity legitimate? Are there other practical approaches that different stakeholders can take to enhance cyber security?
Over to you.
-- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu
<http://www.diplointernetgovernance.org/profile/GraceMutungu>
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards, Stephen Munguti. +254720425104
Well said with Steve and Explorer, Security matters are tied to value systems. Without values there is no security. I stand to be corrected but in the vision 2030 document we had a pillar that received very little attention. This pillar touched on National values , i think this is where the rain started beating us on the security front. Recent interventions from the government and religious communities have emphasized on collective responsibilities and being your brothers keeper (Nyumba kumi et al). I think the same approach should be applied to stem Cyber Security that is sensitizing users on the importance of confidentiality. This can best be done by implementing Security standards such as ISO 27000 series which break down security into a laymans language. Regards On 7/21/15, Stephen Munguti via skunkworks <skunkworks@lists.my.co.ke> wrote:
Hello all,
I think most of our security concerns stem from internal users and this is the reason many banks and telecos refuse to part with this information, i could be wrong though
On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks < skunkworks@lists.my.co.ke> wrote:
Dear Listers,
Kenya has had its fair share of high profile cyber threats, hacking etc, the latest being the alleged compromise of the IFMIS system at NYS/Ministry of Devolution. The country and Africa at large is making efforts to assure cyber-security. These include among others her involvement in the Africa Union Convention on Cybercrime and a proposal for a Cybercrime law, an initiative led by the Office of the Director of Public Prosecutions. Significant financial resources have also been earmarked by government for security and cyber security in particular. There are also partnerships between government and private sector in deploying cybersecurity centres.
The private sector has employed practical measures to protect their businesses. However, businesses such as mobile money providers and banks have been shy to divulge their cyber security concerns to protect their interests.
Civil society on the other hand has raised concern about the line between protecting the cyber space and creating a facilitative environment for innovators as well as protecting the rights of users.
Are our efforts at deterring cyber-crime the correct way to assure cyber security? Are fears about a partnership between government and private sector and the general fears about stifling innovation and human rights in the name of cybersecurity legitimate? Are there other practical approaches that different stakeholders can take to enhance cyber security?
Over to you.
-- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu
<http://www.diplointernetgovernance.org/profile/GraceMutungu>
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Best Regards, Stephen Munguti.
+254720425104
-- Barrack O. Otieno +254721325277 +254-20-2498789 Skype: barrack.otieno http://www.otienobarrack.me.ke/
The biggest question is whether people responsible for CyberSecurity in government have the resources and technical capacity. Good example is the recent embarrassing hackingteam exposure in which one of the officers in the NSIS is captured seeking international help in defacing a simple blog. On Jul 21, 2015 10:22 AM, "Barrack Otieno via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Well said with Steve and Explorer,
Security matters are tied to value systems. Without values there is no security. I stand to be corrected but in the vision 2030 document we had a pillar that received very little attention. This pillar touched on National values , i think this is where the rain started beating us on the security front. Recent interventions from the government and religious communities have emphasized on collective responsibilities and being your brothers keeper (Nyumba kumi et al). I think the same approach should be applied to stem Cyber Security that is sensitizing users on the importance of confidentiality. This can best be done by implementing Security standards such as ISO 27000 series which break down security into a laymans language.
Regards
On 7/21/15, Stephen Munguti via skunkworks <skunkworks@lists.my.co.ke> wrote:
Hello all,
I think most of our security concerns stem from internal users and this is the reason many banks and telecos refuse to part with this information, i could be wrong though
On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks < skunkworks@lists.my.co.ke> wrote:
Dear Listers,
Kenya has had its fair share of high profile cyber threats, hacking etc, the latest being the alleged compromise of the IFMIS system at NYS/Ministry of Devolution. The country and Africa at large is making efforts to assure cyber-security. These include among others her involvement in the Africa Union Convention on Cybercrime and a proposal for a Cybercrime law, an initiative led by the Office of the Director of Public Prosecutions. Significant financial resources have also been earmarked by government for security and cyber security in particular. There are also partnerships between government and private sector in deploying cybersecurity centres.
The private sector has employed practical measures to protect their businesses. However, businesses such as mobile money providers and banks have been shy to divulge their cyber security concerns to protect their interests.
Civil society on the other hand has raised concern about the line between protecting the cyber space and creating a facilitative environment for innovators as well as protecting the rights of users.
Are our efforts at deterring cyber-crime the correct way to assure cyber security? Are fears about a partnership between government and private sector and the general fears about stifling innovation and human rights in the name of cybersecurity legitimate? Are there other practical approaches that different stakeholders can take to enhance cyber security?
Over to you.
-- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu
<http://www.diplointernetgovernance.org/profile/GraceMutungu>
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Best Regards, Stephen Munguti.
+254720425104
-- Barrack O. Otieno +254721325277 +254-20-2498789 Skype: barrack.otieno http://www.otienobarrack.me.ke/
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On 21 July 2015 at 11:00, Jared Koyier via Security <security@lists.my.co.ke
wrote:
The biggest question is whether people responsible for CyberSecurity in government have the resources and technical capacity. Good example is the recent embarrassing hackingteam exposure in which one of the officers in the NSIS is captured seeking international help in defacing a simple blog.
Just for the record, here is the email transcript where Kenyan State House operatives were allegedly seeking EXTENAL help to hack Kenya websites https://www.wikileaks.org/hackingteam/emails/?q=kensi.org&mfrom=&mto=&title=... a and this his how Nation reported the story: http://mobile.nation.co.ke/news/NIS-WikiLeaks-Hacking-Team-Surveillance/-/19... Of Interest is sometimes back, a Kenyan government agency was giving orders that all websites should be hosted locally. From the Hacking Team fiasco, we can clearly see why the government wants websites to be hosted locally. So that they can just physically seize the computer box instead of having to employ Hackers from Russia to do the dirty job for them. I am surprised Civil Society actors have not come out very strongly to question this move of internal hacking by government. After Snowden, we saw how Civil Society in US came out very strongly to protest the violation of basic rights by the State. The US government had to apologize for the embarrassing revelations, and try to cover it's back. Of course the argument I hear this days is there is no government that does not do cyber espionage. Only that some governments are more adept in their skills than others. Regards ______________________ Mwendwa Kivuva, Nairobi, Kenya "There are some men who lift the age they inhabit, till all men walk on higher ground in that lifetime." - Maxwell Anderson
Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system. Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans. Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions? Regards
@Hosea, could not have put it more appropriately On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks < skunkworks@lists.my.co.ke> wrote:
Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...
London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.
Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.
Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?
Regards
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards, Stephen Munguti. +254720425104
@mwendwa, Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same On Tue, Jul 21, 2015 at 2:02 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:
@Hosea,
could not have put it more appropriately
On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks < skunkworks@lists.my.co.ke> wrote:
Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...
London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.
Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.
Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?
Regards
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Best Regards, Stephen Munguti.
+254720425104
-- Best Regards, Stephen Munguti. +254720425104
@mwendwa,
Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same
Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?
On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <
skunkworks@lists.my.co.ke> wrote:
Then the trending issue of the day. Equitel. Safaricom had taken Equity
to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...
London-based GSMA, the global association of telecoms operators using
the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.
Of course we all know Safaricom failed miserably in stopping Equity
from progressing with its plans.
Now the thin sim is here, and Equitel has said it will encrypt all data
to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?
Regards
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Best Regards, Stephen Munguti.
+254720425104
--
Best Regards, Stephen Munguti.
+254720425104
@ mwendwa http://www.gsma.com/publicpolicy/wp-content/uploads/2014/08/GSMA-Security-Gr... The major risk is the Equitels internal staff, i have never witnessed over the air gsm hacks On Tue, Jul 21, 2015 at 2:20 PM, Mwendwa Kivuva <Kivuva@transworldafrica.com
wrote:
@mwendwa,
Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same
Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?
On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <
skunkworks@lists.my.co.ke> wrote:
Then the trending issue of the day. Equitel. Safaricom had taken
Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...
London-based GSMA, the global association of telecoms operators using
the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.
Of course we all know Safaricom failed miserably in stopping Equity
from progressing with its plans.
Now the thin sim is here, and Equitel has said it will encrypt all
data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?
Regards
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Best Regards, Stephen Munguti.
+254720425104
--
Best Regards, Stephen Munguti.
+254720425104
-- Best Regards, Stephen Munguti. +254720425104
participants (5)
-
Barrack Otieno -
Grace Mutung'u (Bomu) -
Jared Koyier -
Mwendwa Kivuva -
Stephen Munguti